mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Handle differentation of directories and files via / for the dfa engine.
This causes the dfa engine to not strip trailing /
and to handle /*/ /**/ and /* and /** cases specially so that directories
don't get matched unintentionally
aare pcre
/foo/* -> /foo/[^/][^/]* so the dir /foo/ will not match the rule
/foo/** -> /foo/[^/].*
/*/foo -> /[^/][^/]*/foo so the rule won't match //foo
/**/foo -> /[^/].*/foo
rules that contain more than a * or ** between dir / elements do not
get converted, ie.
/foo*
/foo**
/foo*/
/foo**/
/*foo
/**foo
/*foo/
/**foo/
there is a known case where this patch is incomplete. When there
exists an alternation that can be empty and * or ** ie.
/{foo,}*
/{foo,*}
This commit is contained in:
John Johansen
parent
a39a3b0410
commit
51b25bd3e5
1 changed files with 43 additions and 4 deletions
|
|
@ -107,10 +107,18 @@ static void filter_slashes(char *path)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
*dptr = 0;
|
*dptr = 0;
|
||||||
/* eliminate trailing slash */
|
|
||||||
len = strlen(path);
|
if (regex_type != AARE_DFA) {
|
||||||
if (len > 2 && path[len -1] == '/') {
|
/* eliminate trailing slashes for versions of apparmor that
|
||||||
path[len - 1] = 0;
|
* do not use the dfa engine.
|
||||||
|
* Versions of apparmor which use the dfa engine use the
|
||||||
|
* trailing / to differentiate between file and directory
|
||||||
|
* matches
|
||||||
|
*/
|
||||||
|
len = strlen(path);
|
||||||
|
if (len > 2 && path[len -1] == '/') {
|
||||||
|
path[len - 1] = 0;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -177,6 +185,35 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
|
||||||
*/
|
*/
|
||||||
STORE("\\*", dptr, 2);
|
STORE("\\*", dptr, 2);
|
||||||
} else {
|
} else {
|
||||||
|
if ((dptr > pcre) && *(dptr - 1) == '/') {
|
||||||
|
#if 0
|
||||||
|
/* handle comment containing use
|
||||||
|
* of C comment characters
|
||||||
|
* /* /*/ and /** to describe paths
|
||||||
|
*
|
||||||
|
* modify what is emitted for * and **
|
||||||
|
* when used as the only path
|
||||||
|
* component
|
||||||
|
* ex.
|
||||||
|
* /* /*/ /**/ /**
|
||||||
|
* this prevents these expressions
|
||||||
|
* from matching directories or
|
||||||
|
* invalid paths
|
||||||
|
* in these case * and ** must
|
||||||
|
* match at least 1 character to
|
||||||
|
* get a valid path element.
|
||||||
|
* ex.
|
||||||
|
* /foo/* -> should not match /foo/
|
||||||
|
* /foo/*bar -> should match /foo/bar
|
||||||
|
* /*/foo -> should not match //foo
|
||||||
|
*/
|
||||||
|
#endif
|
||||||
|
char *s = sptr;
|
||||||
|
while (*s == '*')
|
||||||
|
s++;
|
||||||
|
if (*s == '/' || !*s)
|
||||||
|
STORE("[^/]", dptr, 4);
|
||||||
|
}
|
||||||
if (*(sptr + 1) == '*') {
|
if (*(sptr + 1) == '*') {
|
||||||
/* is this the first regex form we
|
/* is this the first regex form we
|
||||||
* have seen and also the end of
|
* have seen and also the end of
|
||||||
|
|
@ -621,6 +658,8 @@ static int test_filter_slashes(void)
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int regex_type = AARE_PCRE;
|
||||||
|
|
||||||
int main(void)
|
int main(void)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue